Explainable Analysis of Security Information and Event Management (SIEM) Event Logs for Event Profiling and Preliminary Triage

Main Article Content

Pranisa Israsena
Lalita Na Nongkhai
Amonpan Chomklin

Abstract

ABSTRACT - Security Information and Event Management (SIEM) systems generate large volumes of heterogeneous event logs, imposing substantial investigation workloads on Security Operations Centers(SOCs). This study proposes an explainable framework for SIEM event analysis and preliminary triage that emphasizes interpretability and operational applicability without requiring labeled training data. The framework integrates descriptive and temporal analysis, structural association analysis using Spearman correlation, K-means clustering with TF-IDF features to construct interpretable event profiles, and explainable triage scoring based on standard SIEM indicators (severity, priority, confidence, aggregated counts). Experimental evaluation using operational SIEM logs (n=3,490 events) demonstrates 93.8% workload reduction while retaining 98.97% of high-severity events. Validation with labeled attack data (489 SQL injection attempts, 301 bruteforce attacks) achieves 98.2% detection rate (776/790 attacks correctly prioritized) with only 1.8% false negatives, substantially outperforming severity-only (78.5%) and severity+priority (89.1%) baselines. The results confirm that unsupervised event profiling combined with explainable triage scoring effectively distinguishes genuine security incidents from routine monitoring events. The framework provides a practical, transparent analytical baseline for SOCs environments that supports analyst decision-making under realistic operational constraints.

Article Details

How to Cite
[1]
P. israsena, L. Na Nongkhai, and A. Chomklin, “Explainable Analysis of Security Information and Event Management (SIEM) Event Logs for Event Profiling and Preliminary Triage”, JIST, vol. 16, no. 1, pp. 27–39, Jun. 2026.
Section
Research Article: Information Assurance and Security(Detail in Scope of Journal)

References

G. González-Granadillo, S. González-Zarzosa, and R. Diaz, “Security Information and Event Management (SIEM): Analysis, trends, and usage in critical infrastructures,” Sensors, vol. 21, no. 14, Art. no. 4759, 2021, doi: 10.3390/s21144759.

S. Tariq, M. B. Chhetri, S. Nepal, and C. Paris, “Alert fatigue in security operations centres: Research challenges and opportunities,” ACM Computing Surveys, vol. 57, no. 9, Art. no. 224, 2025, doi: 10.1145/3723158.

R. Guidotti et al., “A survey of methods for explaining black box models,” ACM Computing Surveys, vol. 51, no. 5, Art. no. 93, 2018, doi: 10.1145/3236009.

J. Gama, I. Žliobaitė, A. Bifet, M. Pechenizkiy, and A. Bouchachia, “A survey on concept drift adaptation,” ACM Computing Surveys, vol. 46, no. 4, Art. no. 44, 2014, doi: 10.1145/2523813.

N. Tendikov et al., “Security Information Event Management data acquisition and analysis methods with machine learning principles,” Results in Engineering, vol. 22, Art. no. 102254, 2024, doi: 10.1016/j.rineng.2024.102254.

G. Salton and C. Buckley, “Term-weighting approaches in automatic text retrieval,” Information Processing & Management, vol. 24, no. 5, pp. 513–523, 1988, doi: 10.1016/0306-4573(88)90021-0.

R. Sommer and V. Paxson, “Outside the closed world: On using machine learning for network intrusion detection,” in Proc. IEEE Symposium on Security and Privacy, 2010, pp. 305–316, doi: 10.1109/SP.2010.25.

K. Scarfone and M. Souppaya, Guide to Computer Security Log Management, NIST Special Publication 800-92, National Institute of Standards and Technology, 2006, doi: 10.6028/NIST.SP.800-92.

M. Landauer, F. Skopik, M. Wurzenberger, and A. Rauber, “System log clustering approaches for cyber security applications: A survey,” Computers & Security, vol. 92, Art. no. 101739, 2020, doi: 10.1016/j.cose.2020.101739.

X. Wang et al., “Combating alert fatigue with AlertPro: Context-aware alert prioritization using reinforcement learning for multi-step attack detection,” Computers & Security, vol. 137, Art. no. 103583, 2024, doi: 10.1016/j.cose.2023.103583.

F. Jalalvand, M. B. Chhetri, S. Nepal, and C. Paris, “Alert prioritisation in security operations centres: A systematic survey on criteria and methods,” ACM Computing Surveys, vol. 57, no. 2, Art. no. 42, 2025, doi: 10.1145/3695462.

S. P. Lloyd, “Least squares quantization in PCM,” IEEE Transactions on Information Theory, vol. 28, no. 2, pp. 129–137, 1982, doi: 10.1109/TIT.1982.1056489.

C. Spearman, “The proof and measurement of association between two things,” The American Journal of Psychology, vol. 15, no. 1, pp. 72–101, 1904, doi: 10.2307/1412159.

P. J. Rousseeuw, “Silhouettes: A graphical aid to the interpretation and validation of cluster analysis,” Journal of Computational and Applied Mathematics, vol. 20, pp. 53–65, 1987, doi: 10.1016/0377-0427(87)90125-7.